Lithnet Access Manager
PricingRequest a trial or quoteDownloads
v3.0
v3.0
  • Home
  • How does Lithnet Access Manager help prevent lateral movement?
  • Access Manager Editions
  • Licensing
  • What's new in Access Manager v3
  • Change log
  • Installation
    • Getting started
    • System Requirements
    • Downloads
    • Upgrading from Access Manager v1
    • Upgrading from Access Manager v2
      • Considerations for migrating from Access Manager v2
    • Installing the Access Manager Server
      • Creating a service account for the Access Manager Service
      • SQL installation options
      • Installing the Access Manager Service
      • High availability options
        • Load balancing Access Manager
    • Installing the Access Manager Agent
      • Enabling agent support on the AMS server
      • Installing the Access Manager Agent on Windows
      • Installing the Access Manager Agent on Linux
      • Installing the Access Manager Agent on macOS
  • Configuration
    • Setting up Authentication
      • Setting up authentication with ADFS
      • Setting up authentication with Microsoft Entra ID
      • Setting up authentication with Okta
      • Setting up smart card authentication
      • Setting up integrated windows authentication
    • Deploying Features
      • Setting up RapidLAPS
      • LAPS
        • Setting up Microsoft LAPS for Active Directory
        • Setting up Microsoft LAPS for Entra
        • Setting up Lithnet LAPS
      • Just-in-time Authentication (JIT)
        • Setting up JIT for computers
        • Setting up JIT for roles
      • Setting up BitLocker access
        • Setting up access to BitLocker keys stored in Active Directory
        • Setting up BitLocker recovery key backup and access using the Access Manager Agent
    • Importing authorization rules
      • Import Microsoft LAPS permissions from Active Directory
      • Importing BitLocker permissions from Active Directory
      • Importing local administrator group membership from domain-joined Windows devices
      • Import mappings from a CSV file
      • Performing an offline discovery of local admins
  • Help and support
    • Frequently asked Questions
    • Troubleshooting
    • Quick start guides
      • Getting started with Windows LAPS and Lithnet Access Manager
      • Getting started with Windows LAPS for Active Directory
      • Getting started with Windows LAPS for Microsoft Entra
      • Getting started with RapidLAPS
    • Product lifecycle
    • Choosing between the Lithnet and Microsoft agent for LAPS
    • Support Articles
      • KB000001: The Access Manager Agent cannot connect and logs a token-validation-failed error
      • KB000002: Users retain their admin rights after their JIT period expires
      • KB000003: Configuring the Access Manager Agent to manage an account other than 'root' on Linux
      • KB000004: Creating a log file to troubleshoot installation issues with the Access Manager Service
      • KB000005: Access Manager stops working after applying the November 2022 Windows update
      • KB000006: Migrating the Access Manager Database
      • KB000007: Adding JIT groups via Group Policy doesn't work with NTLM Disabled
      • KB000008: AMS is unable to JIT into privileged groups such as Domain Admins
      • KB000009: Access Manager may return an out-of-date LAPS password, or no password at all
      • KB000010: The Access Manager agents fail to register on macOS 15 (Sequoia)
      • KB000011: Users report delays in obtaining just-in-time access via AD
      • KB000012: Troubleshooting Windows authentication in the Access Manager Web App
      • KB000013: Access Manager cannot be installed on Windows Server 2016 with TLS 1.0 disabled
    • Advanced help topics
      • Creating an Entra app registration or Access Manager
      • Setting up agent policies
      • Managing word lists
      • Password history retention
      • Ports and traffic flows
      • Internet access requirements
      • Access evaluation in Access Manager Service (AMS)
      • Recovering from a lost encryption certificate
      • Script-based authorization
      • Customized auditing with PowerShell notification channels
      • Variables available in audit notification channels
      • Setting up audit templates
      • Backup and Restore
      • Event ID reference
      • Group policy configuration
    • PowerShell reference
      • Add-AmsDeviceRegistrationKeyGroup
      • Add-AmsGroupMember
      • Add-AmsIdpClaimMapping
      • Clear-AmsIdpClaimMapping
      • Export-AmsServerDiagnostics
      • Get-AmsActiveDirectoryJitOptions
      • Get-AmsActiveDirectoryJitGroupCreationRule
      • Get-AmsComputerAuthorizationRule
      • Get-AmsDevice
      • Get-AmsDeviceRegistrationKey
      • Get-AmsFveRecoveryKey
      • Get-AmsGroup
      • Get-AmsGroupMembers
      • Get-AmsHostConfig
      • Get-AmsIdpClaimMapping
      • Get-AmsJitSchedulerJob
      • Get-AmsLocalAdminPassword
      • Get-AmsLocalAdminPasswordHistory
      • Get-AmsRoleAuthorizationRule
      • Get-AmsServiceConfig
      • New-AmsActiveDirectoryJitGroupCreationRule
      • New-AmsComputerAuthorizationRule
      • New-AmsDeviceRegistrationKey
      • New-AmsGroup
      • New-AmsRoleAuthorizationRule
      • Remove-AmsActiveDirectoryJitGroupCreationRule
      • Remove-AmsComputerAuthorizationRule
      • Remove-AmsDevice
      • Remove-AmsDeviceRegistrationKey
      • Remove-AmsDeviceRegistrationKeyGroup
      • Remove-AmsGroup
      • Remove-AmsGroupMember
      • Remove-AmsJitSchedulerJob
      • Remove-AmsRoleAuthorizationRule
      • Set-AmsActiveDirectoryJitGroupCreationRule
      • Set-AmsActiveDirectoryJitOptions
      • Set-AmsComputerAuthorizationRule
      • Set-AmsDevice
      • Set-AmsDeviceRegistrationKey
      • Set-AmsGroup
      • Set-AmsHostConfig
      • Set-AmsRoleAuthorizationRule
      • Set-AmsServiceConfig
    • Application help pages
      • Host configuration page
      • App Configuration
        • AMS License configuration page
        • Authentication configuration page
        • Email configuration page
        • Rate limit configuration page
        • IP Address detection configuration page
        • User interface configuration page
        • Auditing page
        • Security page
        • Database configuration page
      • Access Manager Agent
        • Access Manager Agent - Agent registration page
        • Agent Policies
          • Access Manager Agent - Windows polices page
          • Access Manager Agent - macOS polices page
          • Access Manager Agent - Linux polices page
          • Access Manager Agent - Legacy AMSv2 policies page
        • Access Manager Agent - Password settings page
        • Access Manager Agent - Devices page
        • Access Manager Agent - Groups page
      • Directory Configuration
        • Active Directory configuration page
          • Microsoft LAPS configuration page
          • Lithnet LAPS configuration page (Active Directory)
          • Just-in-time access configuration page
          • BitLocker configuration page
        • Microsoft Entra configuration page
      • Authorization Rules
        • Computer authorization rules page
        • Role authorization rules page
      • Effective access page
    • Getting Support
Powered by GitBook
On this page
  • Types of policies
  • Policy precedence
  • Default agent policy
  • Creating a new policy
  • Step 1. Navigate to an OS-specific policy page
  • Step 2. Create a new custom agent policy
  • Step 3. Configure general policy settings
  • Step 4. Configure your policy settings
  • Step 5. Save the policy
  • More information

Was this helpful?

  1. Help and support
  2. Advanced help topics

Setting up agent policies

This guide will walk you through the steps to configure policies for the Lithnet Access Manager Agent.

Agent policies are used to configure features such as password management, RapidLAPS, and BitLocker recovery key backup.

The agent will periodically "check-in" with the Access Manager Server to retrieve the appropriate policy.

Types of policies

Agent policies are divided into three categories, based on the target operating system: Windows, macOS and Linux.

Each operating system has a default policy, and a set of custom policies.

You can create custom Access Manager Agent policies that are targeted at specific computers, groups and containers - from Active Directory, Microsoft Entra, or AMS.

Policy precedence

Policies are processed in the order they appear in the custom agent policy list. The first policy that matches a given computer is the policy that will be used.

You should ensure that the most specific policies (eg policies that target individual computers and groups) are located at the top of the list.

If no matching policy can be found, the default agent policy will be used.

Default agent policy

The default agent policy is the 'fallback' policy that will be used when a computer does not match any of the custom policies configured.

It should contain settings that are applicable as a default base across your environment.

If all computers should have the same policy settings, then there is no need to configure custom policies at all.

Creating a new policy

If you need to vary policy settings between devices, then you'll need to create a custom policy, and target it to those devices.

Step 1. Navigate to an OS-specific policy page

To create an agent policy, first select the operating system you wish to configure policy for in the sidebar under Access Manager Agent/Agent policies:

Step 2. Create a new custom agent policy

Click the Create new... button at the bottom of the custom agent policy list.

Step 3. Configure general policy settings

On the first page of the policy editor - configure a memorable name and a description for your custom policy.

Next, configure the "Agent check-in interval". This setting determines how frequently the agent should attempt to check-in to the server - in minutes. When an agent checks in, it will receive policy updates, reset local administrator account passwords (if required), and backup disk encryption keys (if required). The default value is to check-in every to 60 minutes.

Next, configure the "targets" for your custom policy. Policies can be targeted at specific computers, groups and containers - from Active Directory, Microsoft Entra, or AMS.

To add a new target to a policy, simply click Add... at the bottom of the target list, and follow the prompts to select your target computer, group, or container.

Step 4. Configure your policy settings

Next, you can configure agent settings by selecting from the tabs on the left-hand side of the policy editor.

For more details, visit the appropriate guide for setting up each feature

Step 5. Save the policy

To save the custom policy and make it available for clients, simply click the Save button in the bottom right-hand corner of the policy editor.

More information

For more information on the different settings configurable in agent policies, see the corresponding help page:

PreviousCreating an Entra app registration or Access ManagerNextManaging word lists

Last updated 10 months ago

Was this helpful?

Setting up Lithnet LAPS
Setting up RapidLAPS (Windows only)
Setting up BitLocker backup (Windows only)
Windows agent policies page
macOS agent policies page
Linux agent policies page
Legacy (v2) agent policies page